Tonight my browser was eating up large amounts of memory, so I closed it and reopened it, which seemed to solve the problem. A while later I discovered that 224 MB of data was transfered (incoming) over TCP port 80 from 23.21.81.68 to 192.168.2.4 around the time I closed my browser. The funny thing is I am not running a web server on this machine (192.168.2.4). Further, I know that iptables was active at the time and I thought I had incoming traffic (not ESTABLISHED) on port 80 blocked. I start with all ports blocked in and out and then open individual ports. These are the two commands I issue in order to allow browser navigation out on port 80 on this machine:

I did a whois on the src ip and found that it is a dynamic hosting environment on Amazon's Elastic Cloud. They provide some information on filing a complaint, which I may do. The question I have is, how do I find out more about the data that was transfered? Is it somewhere on my filesystem? Should I be worried about trojans? What should I be concerned about, and how can avoid this type of transfer in the future?

I discovered this large transfer using a packet sniffer program I wrote in order to keep track of data usage.

No, I'm sure that I wasn't streaming any media. I may have had the following link open in a tab, but I can't really remember for sure. Even if I did have it open there is no way it should amount to 224 MB!

Well, in 60 seconds of looking at that weather map, I got 4262090 bytes of data from amazon. That tab was the only one open, everything else (pidgin etc) off. It's totally that weather map. It's just... data. I've not the time to dissect the webpage, but I'm sure there's a refresh loop in there somewhere.

Thank you for your help. Feel a little silly, but I'm just scratching the surface of being more aware of what is going in and out of my network. I need to get more familiar with wireshark, and I definately need to find another wx radar site. Thanks again.